Critical Guidance on the CVE 2022-22965 (Spring4Shell) Vulnerability
On March 29, 2022, a security researcher with the handle p1n93r disclosed a Spring Framework remote code execution (RCE) vulnerability, which was archived by vx-underground. This vulnerability, known as Spring4Shell, affects applications that use JDK v9 or above that run Apache Tomcat as the Servlet Container in a WAR package and use dependencies of the spring-webmvc or spring-webflux from the Spring Framework. This vulnerability is being tracked under CVE-2022-22965.
Note that due to the generality of the vulnerability, there could be other ways to exploit it.
This post is meant to provide guidelines and recommendations on how to prevent, detect, and mitigate this possible vulnerability. In general, TrustedSec recommends organizations perform the following:
- Actively scan systems or use software inventories to identify vulnerable versions of Spring Framework
- Update vulnerable versions of Spring Framework or apply mitigations
- Search for exploitation and post-exploitation activities
TrustedSec recommends upgrading Spring Boot to 2.6.6 and 2.5.12, and Spring Framework to version 5.3.18 and 5.2.20, per vendor guidance.
Affected Versions
- Spring Framework
- 5.3.0 to 5.3.17
- 5.2.0 to 5.2.19
- Older unsupported versions
Vendor Notifications
- Spring has released their RCE, early announcement
- VMware Tanzu has released their security advisory for CVE-2022-22965
- Cloudflare has release Web Application Firewall (WAF) guidance
- Sysdig’s blog post on CVE-2022-22965
Prevention and Mitigation
The primary way to mitigate and prevent exploitation of CVE-2022-22965 is by updating with the official Spring patch according to your application.
- Spring Boot 2.6.6
- Spring Boot 2.5.12
- Spring Framework 5.3.18 or Spring Framework 5.2.20 are not affected
If patching or upgrading is not available, manual options could help deter exploitation attempts. Note that testing prior to deployment will need to be conducted for efficacy and to validate that operations will not be interrupted.
Web Application Firewall (WAF) Policy
Consider implementing WAF rule on exposed Spring Framework systems with the following policies.
“class.*”, “Class.*”, “*.class.*”, “*.Class.*”
NOTE: Cloudflare is currently investigating an emergency release rule for protection against CVE-2022-22965.
Implementing a Denylist in Spring
As a temporary mitigation, create a global class where the controller is located, making sure that DataBinder denies the same pattern as the above WAF policy as recommended by Spring.
@ControllerAdvice @Order(Ordered.LOWEST_PRECEDENCE) public class BinderControllerAdvice { @InitBinder public void setAllowedFields(WebDataBinder dataBinder) { String[] denylist = new String[]{"class.*", "Class.*", "*.class.*", "*.Class.*"}; dataBinder.setDisallowedFields(denylist); } }
There is also a safer implementation of the above suggested workaround by extending the RequestMappingHandlerAdapter to update WebDataBinder after initialization, implementing a declaration of WebMvcRegistration for the Spring MVC or WebFluxRegistration of the Spring WebFlux dependency.
CVE-2022-22965 Detection
Below are detection opportunities for CVE-2022-22965 that can be used to identify vulnerability.
- Florian Roth created the following Yara rule that will detect possible webshells being implemented and proof-of-concept exploit attempts
- Hilko Bengen created a local CVE-2022-22965 vulnerability scanner written in Go (cross-platform compatible) that searches for Spring artifacts obtained via the Maven Central repository
- The OWASP Dependency Check tool can also be utilized to produce an aggregate report of projects and child projects doing the following command (additional properties for OWASP Dependency Check):
mvn org.owasp:dependency-check-maven:aggregate
Different Vulnerabilities Related to Spring, CVE-2022-22963
The CVE-2022-22963 vulnerability is specific to the Spring Cloud Function (not to be confused with CVE-2022-22965) in versions 3.16, 3.2.2, and older unsupported versions when using the routing function. While using the routing routine, it might be possible for the user to provide custom Spring Expression Language (SpEL) data as a routing-expression that might result in local resource access.
There is a great infographic detailing the different vulnerabilities in Spring Core to aid in distinguishing the difference created by Colin Cowie of Sophos.
Additional Resources
The security community has quickly come together to gather information (and misinformation) with the additional resources shown below.
Git commit of the deprecated SerializationUtils#deserialize for CVE-2022-22963 - https://github.com/spring-projects/spring-framework/pull/28075
Infographic - https://twitter.com/th3_protoCOL/status/1509201539461619715
Vendor - https://tanzu.vmware.com/security/
Blogs
https://buaq.net/go-108269.html
https://www.praetorian.com/blog/spring-core-jdk9-rce/
https://bugalert.org/content/notices/2022-03-30-spring.html
https://www.lunasec.io/docs/blog/spring-rce-vulnerabilities/
https://isc.sans.edu/diary/rss/28498
Proof of Concepts
https://github.com/craig/SpringCore0day/blob/main/exp.py
https://its.pku.edu.cn/announce/tz20220330110501.jsp
https://twitter.com/vxunderground/status/1509170582469943303?s=21&t=Z7s-rk8lmTyWv8lBrZ7jUg
https://github.com/RanDengShiFu/CVE-2022-22963
Detections
https://github.com/Neo23x0/signature-base/blob/master/yara/expl_spring4shell.yar
https://github.com/hillu/local-spring-vuln-scanner
https://twitter.com/SeanWrightSec/status/1509576348452499457
https://twitter.com/RandoriAttack/status/1509298490106593283